Backdoor.Assasin.C is a Backdoor Trojan that gives an attacker unauthorized access to a compromised computer. By default it opens port 6,595 on the infected computer. Backdoor.Assasin.C is packed using UPX v1.20.

Backdoor.Assasin.C is a variant of Backdoor.Assasin. When Backdoor.Assasin.C runs, it performs the following actions:

It displays this message:

Invalid Jpeg Image

It copies itself as %windir%\Ms Spool32.

NOTE: %windir% is a variable. The Trojan locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

It then creates the %windir%\Ms spool32.dat file. This file contains the file names of executable files that processes the Trojan attempts to terminate.

The Trojan creates the value

Ms Spool32 %windir%\ms spool32.exe

in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan starts when you start or restart Windows.

Also, it creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK

HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\eu%t{efn74+fzb

It attempts to disable some antivirus and firewall programs by terminating the active processes.

The Trojan notifies the client side using ICQ pager and/or email.

Once installed, Backdoor.Assasin.C waits for commands from the remote client. The commands allow the hacker to perform any of the following actions:

Deliver system and network information to the hacker

Manage the installation of the backdoor Trojan

Upload and execute files

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Do one of the following:

Windows 95/98/Millenium: Restart the computer in Safe mode.

Windows NT/2000/XP: End the Trojan process.

3. Run a full system scan, and delete all files that are detected as Backdoor.Assasin.C.
4. Reverse the changes that the Trojan made to the registry.

To reverse the changes that the Trojan made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

Once you have installed, download the latest database from the bottom of that page, and then start it up - if not detected on disk, memory space scanning should detect the trojan and you can just right click, delete.

Email me if you have any problems or questions - gavin@diamondcs.com.au